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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Qi Does the draft guidance cover the relevant issues about the right 
of access? 

X Yes 

O No 


O Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


O Yes 
X No 
O0 Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


On page 11 you mention that if we have concerns about disclosing excessive information 
we need to contact the data subject and if they agree we send the reply to them directly. 
If we cannot make contact, we should provide the information to the third party. We 
think this approach may cause confusion. If we have the initial concern then why should 
we disclose the information anyway? 


Q3 Does the draft guidance contain enough examples? 


O Yes 
x No 


O Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


- Complexity: we think more details and examples could have been provided to clarify 
complexity and highlight that context is key. Different organisations may have different levels of 
complexity. 

- Page 29: “What information must we supply” — reference to supplementary information “must 
remember to supply this information in addition to a copy of the personal data” what does this 
mean? And in what format? Can it be done by simply referring to the controller’s privacy policy 
in the SAR response or separately? 

- Disclosing third party data: SARs are about providing information not a document so can you 
redact (but how does this actually work in practice)? No real worked examples or criteria from 
ICO here in the guidance. 


Q4 


Q5 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


- It is unclear whether a controller can rely on “manifestly unfounded” point in cases where the 
individual is clearly being abusive to members of staff. On page 36 it looks like we should not 
rely on that but if we do there should be evidence. The line of what constitutes manifestly 
unfounded then becomes very fine, almost subjective. 


On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 


Q6 


Q7 


useful useful useful useful 
O O ðO O 


Why have you given this score? 


We think that the having a guidance on SARs is extremely important, however, the new 
draft guidance seems to move more towards placing great onus and burden on controllers 
when complying with SARs (i.e. evidence on every decision made in respect of (i)whether 
to disclose data, (ii) why something has been redacted in a certain way, / inconsistent 
approach in respect of risk to disclose excessive data but if data subject cannot be 
contacted then disclose anyway (see comment in Q2 above) / definition of and approach 
of manifestly unfounded concept: each case should be considered on a case by case 
basis and onus falls on controller to prove, which of course this type of evidence may be 
very subjective rather than an objective assessment of what manifestly unfounded 
means.) 

SARs are not straightforward and a less strict approach should be considered, balancing 
the rights of individuals and costs / time for controllers. 


More examples would be useful. 


To what extent do you agree that the draft guidance is clear and easy to understand? 
Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
[J O 0O 0O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Page 23: guidance suggests controllers should make “extensive” efforts to find the information. 
Isn’t this excessive in the context of a large organisations with multiple and complex systems? 
Shouldn't this be reasonable / appropriate? On page 24 guidance uses the word “reasonable” 
instead. Also on page 25 you refer to “use the ‘same’ effort to find information to respond to a 
SAR as you would to find archived or backed-up data” — extensive or reasonable? 

Pages 23-24: it would be useful to include in the guidance an example where SAR is specific 
to specific information. Controller respects timelines, provides that data but then individual 
comes back asking for additional data. What is the position there: (i) new request / new 
timeline? (ii) part of the same request but no timeline? 

Proportionality: the guidance seems to remove references to proportionality - Previously 
controllers would balance benefit of supplying to data subject v. effort of finding the information. 
So how do controllers now know how to manage responses? Guidance doesn’t seem to 
consider time and cost burden of DSARs on organisations. 

Providing archived data: Guidance seems to expect processes to be in place to search back- 
ups / archives. But this seems to be inconsistent with the point of a SAR (to get access to data 
being currently processed). 


Q9 Are you answering as: 


O 


O 
X 
E 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Please specify the name of your organisation: 


Telefonica UK Limited 


What sector are you from: 


Telecoms 


Q10 How did you find out about this survey? 


Dd: ET. Ey el g 


se es WD E 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


Thank you for taking the time to complete the survey. 


